Information, influence and narratives have played a vital role in conflicts throughout human history. Genghis Khan notably favored influence operations, allowing his soldiers to become operatives who would spread messages to persuade targets to surrender in advance of the invasion. As scholar Jack Weatherford notes in Genghis Khan and the Making of the Modern World, “paper was the most potent weapon in Genghis Khan’s arsenal.”
Though information warfare is ancient, stretching back long before Genghis Khan, it has been revolutionized by the internet, which has radically reshaped how information is proliferated, sought, consumed and shared. Platforms such as social media, internet forums and video sharing sites, technologies such as artificial intelligence (AI), and the ability to anonymize or obscure identity are all major factors that have transformed information ecosystems throughout the globe.
Cybersecurity, born and raised on the internet, has a lot to teach us about how to counter modern attacks in the ancient domain of information warfare. In fact, many concepts and techniques, tactics and procedures (TTPs) that have been defined and refined in the field of cybersecurity can be directly applied to countering malicious activities in the information ecosystem, such as misinformation, disinformation, malinformation and influence operations.
What is Cognitive Security?
Information security (infosec) – the protection of information and information systems from unauthorized access, modification or use – is actually more than only cybersecurity. Information security has the following three layers: cybersecurity, physical security and cognitive security.
Cybersecurity, broadly speaking, involves machines and the networks between them. Physical security consists in protecting physical access to machines and sensitive information stored in other formats (e.g., paper, print media). Finally, cognitive security involves humans and the networks between them, including their beliefs, behaviors and the communities to which they belong.
Cognitive security (CogSec) is the application of information security principles, practices and tools to misinformation, disinformation, influence operations and other forms of digital harm. It takes a socio-technical lens to high-volume, high-velocity and high-variety forms of “something is wrong on the internet.” Cognitive security can be seen as a holistic view of disinformation from a security practitioner’s perspective.
Information Security: Cybersecurity vs. Cognitive Security
Cognitive security is a branch of information security that shares foundational principles with the other branches. A set of direct parallels can be framed between cybersecurity and cognitive security.
Like computers, people can be considered ‘endpoints.’ Networks are comparable to communities in being a means of exchanging information among these endpoints; note, social media platforms are often called “social networks.” The internet is the sphere where beneficial, benign and malicious information and activity can proliferate in the cyber and information ecosystems. Lastly, computer data drives machine actions from receiving emails to detonating ransomware. Beliefs held by people shape behaviors that motivate actions across the full spectrum of human activity.
The parallels between cybersecurity and cognitive security extend beyond these foundational concepts. For example, malware is malicious code that corrupts machine behavior to deliver effects, such as ransomware encrypting files to extort victims. Similarly, narratives can include forms of disinformation that distort human understanding to influence behavior in line with a threat actor’s intentions.
Transposing Infosec Frameworks, TTPs and Toolsets Into Cogsec
The similarities between cybersecurity and cognitive security extend beyond conceptual parallels. In fact, many of the frameworks, tools, and TTPs employed in cybersecurity also prove useful in cognitive security.
The DISARM Framework maps out TTPs for both attackers and defenders within the information ecosystem in a style similar to the MITRE ATT&CK framework. The DISARM Red Framework includes TTPs such as baiting legitimate influencers and using botnets to amplify content. The Blue Framework includes TTPs such as honeypotting social communities and seizing and analyzing botnet servers. The DISARM Framework is already being used by threat researchers, as seen in TeamT5’s analysis of video-based Chinese information operations used throughout various campaigns related to Xinjiang and COVID-19.
The DISARM framework also will allow STIX files to be created and distributed via a TAXI server related to objects such as threat actors, attack patterns, narratives, identities, campaigns, and other artifacts. As with cybersecurity, these tool will prove incredibly useful as a means of exchanging threat intelligence in human and machine-readable formats that are written out in a common language.
Just as a security operations center (SOC) is common practice in cybersecurity, an analogous ‘CogSOC’ can be used to defend against digital harms in the information ecosystem. This can be elaborated upon at length; however, at a high level, it involves monitoring systems within the information ecosystem (e.g., social media), detecting threats (e.g., corrupted and amplified narratives), and facilitating incident response (e.g., production and promotion of counter-narratives). CogSOCs can also be integrated into existing infosecurity infrastructure, working closely with the cyber SOC and other teams to detect, investigate, and respond to emerging incidents.
A Call to Action for the InfoSec Community
Specialists in the InfoSec community – from threat analysts and SOC managers to subject matter experts and CISOs – have valuable skills to contribute to cognitive security. People with cybersecurity skills can help detect, investigate, and find meaningful patterns in malicious activity in the information ecosystem. InfoSec workers can also help convey this information to those who facilitate incident response, be they public affairs specialists, marketing firms, PR agencies, influencers, or legal teams.
Threats in the information ecosystem pose as severe and persistent of a problem as threats in the cyber ecosystem. Just as with cyber-attacks, digital harms such as disinformation, misinformation and influence operations present a massive, complex issue. There is no ‘silver bullet.’ And so, as with cybersecurity, it will take teams of researchers and responders, numerous private firms, a common language, and a robust set of tools and frameworks to begin countering these digital harms. This is a massive undertaking, but given the criticality and timeliness of the issue, it is a necessary effort that must be carried out with creativity, collaboration, and integrity.